Shulou(Shulou.com)05/31 Report--

This article introduces how to use Browsertunnel through DNS to achieve data theft from the browser, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Browsertunnel

Browsertunnel is a tool that can help researchers extract all kinds of data from target users' browsers using the DNS protocol. The tool is mainly based on dns-prefetch to implement its function, while dns-prefetch is designed to reduce the perceived latency of the site by performing DNS lookups for specified domains in the background. DNS traffic does not actually appear in the browser's tuning tools, is not blocked by the page's content security policy (CSP), and is usually not detected by corporate firewalls or proxies, so it is the ideal medium for data theft in the first case.

In fact, this is a very old technology. The DNS channel itself dates back to the 1990s, and researcher Patrick Vananti wrote a special article about dns-prefetch in 2016. But so far, Browsertunnel is the first tool that is completely open source and supports interaction between client and server devices. Because dns-prefetch does not return any data to the client JavaScript, the transmitted data through Browsertunnel can only be sent individually. In addition, some browsers disable dns-prefetch by default, so Browsertunnel doesn't work properly in this scenario.

Tool composition

A server side, which seems to be developed in Golang and used as an authorized DNS server, can collect and decode messages sent by Browsertunnel.

A small JavaScript library, found in the html/ directory, that can decode and send messages from the client

Working mechanism

Browsertunnel can encode a string into a subdomain name and send any string through DNS. When the target user's browser attempts to recursively resolve the domain name, the information will be forwarded to the server side of Browsertunnel:

If the amount of data to be transferred is too large (253 bytes), then one domain name is certainly not enough, then the information will be divided into multiple parts, and then the server will be responsible for reassembling and decoding:

Installation and use of tools

First, we need to set up the DNS record to represent the subdomain name of our server. For example, if your server IP address is 192.0.2.123 and you want to send data through the subdomain t1.example.com, then your DNS configuration should be as follows:

T1 IN NS t1ns.example.com.t1ns IN A 192.0.2.123

On your server side, use the go get command to install Browsertunnel. Or, you can compile the Browsertunnel project on your own on the device, and then copy the code to the server:

Go get github.com/veggiedefender/browsertunnel

Next, run Browsertunnel using the browsertunnel command to specify the subdomain name you want to use to transfer data:

Browsertunnel t1.example.com

To get the full usage of Browsertunnel, you can use the-help parameter:

$browsertunnel-helpUsage of browsertunnel:-deletionInterval int seconds in between checks for expired messages (default 5)-expiration int seconds an incomplete message is retained before it is deleted (default 60)-maxMessageSize int maximum encoded size (in bytes) of a message (default 5000)-port int port to run on (default 53)

Now you can start testing your own DNS channel. You can use the demo page I provided to you: [click I visit]. Alternatively, you can use the following command to clone the project source code locally, and then load html/index.html locally for testing. If everything is all right, you can see the information output from the server.

In the real scene of git clone https://github.com/veggiedefender/browsertunnel.git

For real-world Browsertunnel usage, you may need to make some adjustments to the code according to the situation:

Write the message to the database instead of printing it out directly

Convert or rewrite the client to support older browsers

Adjust the ID field of the domain name according to our data traffic

Authenticate or encrypt messages to achieve confidentiality and tamper-proof data transmission. Don't forget that DNS is a plaintext protocol.

On how to use Browsertunnel through DNS to achieve data theft from the browser to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.